Technical and Organizational Measures (TOM)
OPTEN AG

(A) General Provisions

This document describes the technical and organizational measures implemented by OPTEN AG to protect the confidentiality, integrity, and contractual availability of personal data.

(B) Technical and Organizational Security Measures

1. Confidentiality

1.1. Access Control

"Unauthorized individuals must be prevented from physically accessing data processing facilities where customer data (including personal data) is processed or used."

Implemented Measures:

  • Access control system (chip card)
  • Key management / key issuance
  • Door security (electronic door openers)
  • Regular review of permanent access authorizations

1.2. User Control

"It must be ensured that data processing systems cannot be used by unauthorized persons."

Implemented Measures:

  • Access control system (chip card)
  • Key management / key issuance
  • Door security (electronic door openers)
  • Regular review of permanent access authorizations


1.3. Access Control and Storage Control

"It must be ensured that authorized users of a data processing system can only access data necessary for their tasks ('Need-to-Know' principle) and within their access rights, and that customer data (including personal data) cannot be read, copied, modified, or removed without authorization during processing, use, or after storage."

Implemented Measures:

  • Differentiated permissions (profiles, roles)
  • Monitoring & reports
  • No 'account sharing' (multiple persons using one account) / unique 'user ID' (user assignment)

 

2. Integrity

2.1. Transmission Control (Transport Control, Data Carrier Control, and Disclosure Control)

"It must be ensured that personal data cannot be read, copied, modified, or removed without authorization during electronic transmission, transportation, or storage on data carriers, and that it is possible to verify and determine where the transmission of personal data via data transmission facilities is intended."

Implemented Measures:

  • Encryption / tunnel connection (VPN = Virtual Private Network)
  • Logging & monitoring
  • Transport security


2.2. Input Control and Logging

"It must be ensured that it is possible to retrospectively verify and determine whether and by whom personal data has been entered, modified, or removed in data processing systems."

Implemented Measures:

  • Logging and log evaluation systems

 

3. Availability and Resilience

3.1. Availability Control and Recovery

"It must be ensured that customer data (including personal data) is protected against accidental or deliberate destruction or loss. Rapid recoverability must be ensured."

Implemented Measures:

  • Backup procedures
  • IT system resilience
  • Integrity of IT systems
  • Hard disk mirroring, e.g., RAID method
  • Separate storage
  • Antivirus protection / firewall

3.2. Resilience and Reliability

"It must be ensured that IT systems remain functional as much as possible even in the event of disruptions and errors. Furthermore, it must be ensured that IT system malfunctions are reported internally."

Implemented Measures:

  • IT systems are designed to maintain essential functions even in case of disruptions or errors
  • Facilities are planned and implemented to ensure appropriate fault tolerance based on risk assessment
  • Processes for reporting malfunctions to management are implemented

4. Procedures for Regular Review, Assessment, and Evaluation

4.1. Data Protection Management

Implemented Measures:

  • Privacy policy
  • Employee privacy policy
  • Data Processing Agreement (DPA)
  • Technical and Organizational Measures (TOM)
  • Training sessions

4.2. Incident Response Management (Detection and Mitigation or Elimination of Data Security Breaches)

Implemented Measures:

  • Training sessions
  • Defined processes

4.3. Privacy by Default Settings

Implemented Measures:
The principle of data minimization is adhered to. Data is only collected for the purposes specified in the privacy policy

4.4. Order Control

"No data processing by third parties or subcontractors without explicit instructions from the customer."
Implemented Measures:

  • Clear contractual arrangements
  • Written order issuance
  • Selection criteria for service providers
  • Monitoring of contract execution

 

Latest Version: August 2023